decryptionFeb 24

need something very basic, but very reliable to run a tailscale subnet router on - my first thought was just a VM on a proxmox box, but if that shits the bed, i can't access the LOM because the subnet router is on it!

so probably need something standalone, but i dont want it sucking too much power (or too expensive)

Show threadDaniel Carosone
@decryption usff ftw
Feb 24 at 10:35pmWeb
Show threaddecryptionFeb 24
@uep those have VPro/Intel AMT too, so if shit's really fucked i can go into the DC and not have to drag a monitor with me on a crash cart
Show threadDaniel CarosoneFeb 24
@decryption yep
Show threadJason Tubnor 🇦🇺Feb 24
@decryption @uep Good DCs will have a a few crash carts in each data hall so typically isn’t an issue.
Show threadraspberryFeb 24
@uep @decryption Yeah, id have two usff optiplex's and have one as a cold spare (preferably with the config on there) so then you can just swap
Show threaddecryptionFeb 24
@theraspb @uep hmmmm, i wonder if there's a way to have a HA style setup of those little guys - so if for some reason one craps out the other one takes over - maybe I can do it in the Arista switch? (ping the interface and if it stops responding, disable that port and enable the other SFF's port)
Show threadraspberryFeb 24
@decryption @uep dont even need to do that, talescale should look after that for ya https://tailscale.com/docs/features/subnet-routers#set-up-high-availability
Subnet routers · Tailscale Docs

Use subnet routers to give devices outside your local network access to services within specific subnets. Extend your private network with Tailscale.

Tailscale
Show threadraspberryFeb 24
@decryption @uep though im not sure if that's required, those boxes are pretty reliable regardless and well.. you've got 1 internet connection, not too sure if two tailscale boxes to access your OOB will do much if your net is down. I just meant that those boxes can be swapped out relatively painlessly if it does shit the bed.
Show threaddecryptionFeb 25
@theraspb @uep yeah, a day or two of downtime to the OOB network shouldn't hurt anyone - cold spare makes a lot of sense
Show threadraspberryFeb 25
@decryption @uep i love cold spares, i reckon people dont use them enough.
Show threadDaniel CarosoneFeb 24

@decryption @theraspb lots of options, including just two separate sessions on two sets of IPs so you pick one or the other as OOB access. The less cleverness the better.

My personal choice would be even simpler (though it's not necessarily mutually exclusive). Just wireguard on the mikrotik router or switch, protecting ssh to same. Then I can tunnel, send WoL packets, and more from there as needed to recover.

Show threadPhillip Feb 25
@decryption @theraspb @uep at that point, you could do a Proxmox HA cluster of 2 (or more if you really want) nodes so the Tailscale VM can fail over between them